ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

Beware Cowboy Mobile VPN Apps

A new paper (.pdf) highlights the dangers of many free mobile VPN apps. Researchers studied 283 free Android VPN apps available through the Google Play Store. Many of these are very popular, and have been rated highly by their users. Alarmingly:

  • 75% of the apps tested use third-party tracking libraries.
  • 82% unnecessarily request permissions to access sensitive data. This includes user accounts and text messages.
  • 38% contain some form of malware (adware 43%, trojan 29%, malvertising 17%, riskware 6% and spyware 5%).
  • 18% do not even encrypt users’ data.
  • 18% provide no information on who is hosting the VPN servers.
  • 16% forward traffic through other users’ network bandwidth.
  • 84% expose the user’s real IP address via IPv6 DNS leaks.
  • 16% deploy non-transparent proxies that modify users' HTTP traffic. This includes injecting JavaScript code for advertising and tracking purposes.
  • Four of the analysed apps perform TLS interception. Although three of these claim this is in order to perform traffic acceleration, this allows them to selectively intercept data sent to secure HTTPS such as banks, email services, e-commerce sites, and online tax return websites.

These figures are frankly shocking. All the more so because people use these apps in the belief that they will improve their online privacy and security!

Beware Cowboy Mobile VPN apps - Android VPN apps intrusive

DNS Resolvers

The researchers also found that,

Notably, 55% of the free apps (and 60% of premium apps) redirect user’s DNS queries to Google DNS whereas 7% of free and 10% of premium VPN apps forward DNS traffic to their own DNS resolvers.

It is not clear, however, whether DNS requests sent to Google or other third party DNS resolvers are proxied by the VPN providers. If so, the issue is not as problematic as it may first appear, as the identity of the person making the DNS request will be hidden from Google et al.

Of course, if the DNS requests are not being proxied, and are instead going direct to Google and the like, this is terrible news for privacy.

VPN Apps Are a Burgeoning Market, Ripe for Exploitation

Governments across the world are stepping up warrantless, blanket surveillance of their populations. Online companies scan our emails and track us as we surf the web in order to target ever more personalized ads at our browser windows. Copyright trolls track downloaders in order to threaten them into paying damage reparations.

Internet users are becoming increasingly aware of all this and, quite understandably, don’t like it. This has fuelled a huge rise of interest in VPN technology.

In theory, this is great, as VPNs (and VPN apps) can indeed help to counter these problems. However, this surge of interest in VPNs has also led to an increase in cowboy outfits keen to exploit this new trend.

Most Android Users Pick Apps Based on Two Factors

The first is the popularity of apps and the star rating given to them by other users on the Play Store. These indicators simply cannot be trusted, however, because the people downloading the apps and leaving reviews do not have the technical competence to assess the privacy and security implications of using these apps.

This explains why, despite the paper’s damning findings when analyzing these apps, 37% of them have more than 500,000 installs, and 25% of them receive at least a four-star rating from users!

VPN apps complaints

Here we can clearly see that app reviewers on the Play Store are much more concerned about bugs and battery life than with privacy and security issues.

The second criteria is price, and most people’s favorite price by far is FREE! That's all well and good, but running a VPN service is a costly and time consuming business. So no-one, and I mean no-one, is going to do it for free.

If you are not paying for a service in hard currency then it is making money from you in some other way.  “There ain’t no such thing as a free lunch,” and, “if you aren’t paying for a product then you are the product” are both appropriate adages here.

So How Can I Stay Safe?

As long as you understand their limitations, VPN apps are still a great way to improve your privacy and security when using an Android device. The important thing is to choose a good app from a reputable VPN provider. This is admittedly easier said than done. The following advice should help, however.

1. Avoid free VPN apps. As discussed above, if you are not paying for the product then you are the product. Reputable commercial VPN services can be had for under $5 per month.

2. If you really must use a free VPN app, understand how the service finances itself. Reputable free VPN services do exist, but these are invariably very restricted. They are offered in the hope of enticing you to pay for an unrestricted premium service. This might be annoying, but it is, at least, transparent. Please see our list of recommended free VPN services.

3. Check out provider reviews on (of course!). If a provider is, in general, well regarded, then its app is likely to be secure.

4. Avoid the myriad otherwise unheard-of, app-only, VPN services out there. They are most probably cowboys.Android VPN apps viruses

5. Use the OpenVPN for Android app by Arne Schwabe instead of custom VPN apps. This open source VPN client is officially recommend by the OpenVPN project. It is very secure and includes IPV4, IPv6, and WebRTC leak protection. It can even be configured to act as a kill switch.

The app uses regular OpenVPN configuration files, and so can be used with any regular commercial VPN service that offers OpenVPN. Note that although the app is free to download, you will need to sign up for a VPN service in order to use it (unless you run your own VPN server).

You will still need to trust your VPN provider, of course, but at least this way you can be 100% sure that the app you are using is secure.

Mobile VPN Apps: Conclusion

The researchers focused exclusively on Android apps, and free ones at that (although some offered in-app purchases for premium products). There some aspects about the way Android works that make it very easy to create rogue Android apps, but many of the problems discovered will almost certainly exist in iOS apps as well.

The best way to avoid VPN apps that compromise, rather than enhance, your online privacy and security is to do some research, and only use apps from reputable, paid-for VPN provider. As the old Roman saying goes, caveat emptor - it is the buyer's responsibility to check the quality and suitability of a product before buying it. This applies even more when the cost is not obvious.

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.


Amal Kumar
on May 15, 2017
Hi, iam a first time user and need a safe VPN system which I can work on my android phone using 4g mobile data. I also seek to make calls from the country's server I have chosen. For eg. if I choose the UK server I should be able to make calls and whatsapp from a UK number. Is that doable ? Please help as iam new to this VPN concept and do not wish to waste money by choosing the wrong app. Please suggest an app which will be suitable. I would be grateful indeed. Thank you in advance.
Douglas Crawford replied to Amal Kumar
on May 16, 2017
Hi Amal, Please see 5 Best VPNs for Android for a list of great (and "safe") VPN providers. Unfortunately, a VPN will not help you with WhatsApp unless you already have a UK number.
on March 1, 2017
I have been trying to find a vpn for my home computer. I don't trust the online reviews. Can you recommend one or at least a list of honest reviewed vpn's. Thanks
Douglas Crawford replied to Keith
on March 2, 2017
Hi Keith, Please see our 5 Best VPN Services list. My personal recommendations (for services that I have reviewed myself) are ExpressVPN, AirVPN or IVPN (I have linked to my reviews of these services, which, as I hope you will be able to tell when you read them, are my 100% honest assessment).
on February 4, 2017
What's weird for a VPN is to use google dns resolvers, even behind a proxy or whatever. Google blocks lots of domains, some sites are not listed! Which criteria? Censorship, nothing else! But it does not seems to surprise anyone...
Douglas Crawford replied to
on February 6, 2017
Hi, To be honest, I don't really see the problem with using Google DNS if the DNS requests are proxied by the VPN provider. Google will simply see that the requests come from the VPN provider. If you feel that I am missing something important here, I am happy to discuss the issue.
Felipe Alarcon
on February 4, 2017
Hi. I use Cyberghost VPN, on my PC and Android, but I have a paid plan for it. But after reading your article I became concerned with my privacy. Can you recommend if I should change my paid VPN service from Cyberghost to another one? Thanks.
Douglas Crawford replied to Felipe Alarcon
on February 6, 2017
Hi Filipe, The results shown in this paper re. CyberGhost are somewhat concerning.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

A large brand offering great value at a cheap price

One of the largest VPNs, voted best VPN by Reddit

One of the cheapest VPNs out there, but an incredibly good service